Splunk Search
Highlighted

Joining Searches for Authentication Times

Explorer

So I have two searches; one for the clientvpnasa and one for the nac, they both require regex:

index=client_vpn_asa "ASA-4-722051" | rex field=_raw ".*?ASA-4-722051: Group \<(?<Group>.*?)\> User \<(?<username>.*?)\> IP \<(?<Source_IP>\\d+.\\d+.\\d+.\\d+)\> Address \<(?<Framed_IP>\\d+.\\d+.\\d+.\\d+)\> assigned to session" | fields + _time, host, Group, username, Source_IP, Framed_IP | fields - "_cd","_indextime","_kv","_raw","_serial","_si","_sourcetype"

and

index=nac | rex field=_raw "(?P<Source_IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "(?P<username>\w{1,30}\\\.\S+)" | rex field=_raw "(?P<email_addr>\S+@\S+)" | eval analysis=if(isnull(username),0,1) | eval user=case(analysis=="0", email_addr, analysis=="1", username)

I tried "join username [search index=nac......]" didn't work right.

What I want to do is see how long it takes a user to hit the ASA, get authenticated and then be authorized by the NAC...what is the total time of that transaction by user.

Tags (2)
0 Karma
Highlighted

Re: Joining Searches for Authentication Times

Explorer

So what I want to do is have a username, with an entry from the ASA first, then an entry from the NAC....so i can calculate the time from first seen on the ASA to successful authentication on the NAC....

0 Karma
Highlighted

Re: Joining Searches for Authentication Times

SplunkTrust
SplunkTrust

Try something like this

index=client_vpn_asa "ASA-4-722051" | rex field=_raw ".*?ASA-4-722051: Group \<(?<Group>.*?)\> User \<(?<username>.*?)\> IP \<(?<Source_IP>\\d+.\\d+.\\d+.\\d+)\> Address \<(?<Framed_IP>\\d+.\\d+.\\d+.\\d+)\> assigned to session" | fields + _time, host, Group, username, Source_IP, Framed_IP | fields - "_cd","_indextime","_kv","_raw","_serial","_si","_sourcetype"
|append [search index=nac | rex field=_raw "(?P<Source_IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "(?P<username>\w{1,30}\\\.\S+)" | rex field=_raw "(?P<email_addr>\S+@\S+)" | eval analysis=if(isnull(username),0,1) | eval user=case(analysis=="0", email_addr, analysis=="1", username)] 
|transaction username maxevents=2 | table _time , username, duration
0 Karma
Highlighted

Re: Joining Searches for Authentication Times

Explorer

Very nice indeed, so this is the duration between the ASA and NAC, right? Duration here is in seconds?

0 Karma
Highlighted

Re: Joining Searches for Authentication Times

SplunkTrust
SplunkTrust

Yes and yes.

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.